Army strengthens access rules for secret network

Jared Serbu, DoD reporter, Federal News Radio

TAMPA, Fla. — The Army has moved more than 2,000 users of the military's secret computer network to a new, more secure system for signing in — one of several advances the service said it's making on identity management.

Currently, most users of the Defense Department's classified network, known as SIPRNet, log on using just a username and password. That method is going away in favor of a more secure, two-factor identification system: combining something users know with something they have in their physical possession, just as they currently do when they log onto the non-secret network, NIPRNet, with their common access cards.

Users will get a similar but separate public key infrastructure, or PKI, smartcard and pin number that will be used only for the secret network. The Army said it has deployed these new cards to an initial 2,400 users through an initial operational test and evaluation (IOT&E).

"It's really cool," she told an Army audience at the LandWarNet conference Tuesday. "It's a live token — you get to keep it for three years, it's not that we're going to take it back at the end of the IOT&E — and you don't have to remember that 15-character password that we all have written on the sticky note under the keyboard or in the desk."

The Army received DoD approval to continue deploying the cards in an extended test period to its organizations that volunteer. Traylor said they want to distribute as many as they can through the test in order to avoid a mad dash to make the switch all at once when DoD finally pulls the plug on SIPRNet usernames and passwords.

DoD is paying the bill for the initial deployment of the smartcard system, a capital expenditure that Traylor said would otherwise be significant for the Army. Just the physical cards themselves cost around $40 each, and the Army has an estimated 300,000 SIPRNet users.

Meanwhile, the Army, and DoD as a whole, are beefing up the security of their existing system of common access cards, which are used for most day-to-day unclassified tasks. They're phasing out an older, weaker data security algorithm known as SHA-1, which is now more than 15 years old. Its replacement, the stronger SHA-2, will take over on Jan. 1, 2014, and SHA-1 will no longer be supported on newly minted cards.

Seamless transition?

Traylor said the Army wants to make the transition as painless to users as possible, but there are no guarantees.

"Your CAC card will continue to work," she said. "Your Web applications and things like that that only accept SHA-1 may not. We just went out with a data call to find out what applications were out there to make people aware that this change was coming. As we do data center consolidation, we've added that to the checklist. As they take an application and move it from one data center to a new data center, that's something they're watching for. We want Jan. 1, 2014 to be uneventful, so that when that new CAC card is issued, it's just transparent. The apps are ready to go, no big deal."

Another reason for the move: it's required for DoD to continue to share information with many of the federal government's civilian agencies.

"A lot of organizations have just gone straight to SHA-2," she said. "If you're authenticating to some of their data systems or websites, they're already there."

But regardless of how DoD users authenticate themselves to the network, many of the discrete systems inside the network that people need to access on a day-to-day basis still rely on individual, localized schemes of usernames and passwords.

That brings up a third change the Army has just started to tackle with the Defense Information Systems Agency. DISA is working on a system to synchronize DoD users' identities across the myriad systems the military services run around the globe and eventually aims to eliminate all of those individual accounts.

Identity 'forest'

"We're going to take your identity and your attributes that make up who you are — major, contractor, reserve, civilian — all of these things about you, and store it in an identity forest," she said. "Our goal is to authenticate once, based on your single identity and all these attributes that we know about you, and then grant you access to those things that you need."